Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Rennie deGraaf
iSEC Partners
07 August 2014
2 Attacking SVG
Attack surface
Security model
Security model violations
4 Conclusion
What is SVG?
A simple example
Source code
A simple example
As rendered
A simple example
I am not an artist.
As a static image:
img tag
CSS resources (eg, background-image)
As a nested document
object tag
embed tag
iframe tag
In-line
canvas tag
Attack surface
Since SVG can do pretty much everything that HTML can do, the attack surface is
very similar:
XML attacks (Billion Laughs, etc.)
DOM attacks
XSS
Etc.
Billion Laughs
Billion Laughs
Chrome
Billion Laughs
Firefox
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8"/>
</head>
<body>
<h1>Same-origin SVG</h1>
<div style="border: 1px solid black">
<object data="harmless.svg" type="image/svg+xml"
width="68" height="68"></object>
</div>
</body>
</html>
XSS
Code
<?php
header("Content -type: image/svg+xml");
echo "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>"
?>
<svg
xmlns="http://www.w3.org/2000/svg"
width="68"
height="68"
viewBox="-34 -34 68 68"
version="1.1">
<circle
cx="0"
cy="0"
r="24"
fill="<?php echo $_GET['colour ']; ?>"/>
</svg>
XSS
Results
(b) http://svg.test/circle-xss.svg.php
(a) http://svg.test/circle-xss.svg.php-
?colour="/><script>alert(/pwnt!/);-
?colour=blue
</script>
Security model
SVG loaded as static images are treated like other image formats:
External resources (stylesheets, scripts, other images, etc.) are not loaded.
Scripts are never executed.
Internal stylesheets and data URIs are allowed.
SVG loaded as nested documents are treated just like HTML:
External resources are loaded.
Scripts are executed.
Same-Origin Policy applies.
Sandboxed iframes disable script execution
Browsers must never load a document as a child of itself.
1
https://code.google.com/p/chromium/issues/detail?id=384527
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 32 / 55
Attacking SVG Security model violations
Recursion
We get SVGnal. Main SVGeen turn on.
Recursion
Browsers’ checks for recursive documents are based on the URI. So as long as
the URI changes at every iteration, we can make a recursive document.
The query string is part of the URI, but is ignored by HTTP file servers.
To change the query string at every iteration, we need scripting.
We can’t use svg:image because that doesn’t run scripts, so we use
html:object inside svg:foreignObject.
Internet Explorer doesn’t render svg:foreignObject,2 but IE does run scripts
and load external documents inside it!
2
http://msdn.microsoft.com/en-us/library/hh834675(v=vs.85).aspx
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 36 / 55
Attacking SVG Security model violations
Recursion
Code
Recursion
As rendered in Firefox
Recursion
As rendered in Chrome
Recursion
As rendered in Internet Explorer
Recursion
IE and image
Recursion
As rendered in IE
IE 11 and 12 DC1 run >250,000 iterations before crashing, which takes a while.
Reported to Microsoft; “Not a security bug”.
4
http://status.modern.ie/contentsecuritypolicy
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 45 / 55
Content Security Policy CSP Violations
When an SVG with in-line CSS is loaded with style-src 'self' from a static
image context, the CSS is applied contrary to the CSP.5
5
https://code.google.com/p/chromium/issues/detail?id=378500
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 46 / 55
Content Security Policy CSP Violations
Other issues
Firefox did not properly apply CSP to sandboxed iframes prior to version 28.0.
It is still not properly applied in the Firefox 24 ESR branch.9 This appears to
have been due to wider problems with sandboxed iframes.
Both Chrome 10 and Firefox 11 display in-line SVG even under the CSP
img-src: none. There does not appear to be agreement on whether an in-line
SVG is an image or something else. My position is that since data: URIs can
be blocked using img-src, in-line SVG should be blockable as well.
style-src didn’t prevent Chrome from incorrectly loading cross-origin
stylesheets from static image SVGs.12
9
https://bugzilla.mozilla.org/show_bug.cgi?id=1018310
10
https://code.google.com/p/chromium/issues/detail?id=378500
11
https://bugzilla.mozilla.org/show_bug.cgi?id=1018310
12
https://code.google.com/p/chromium/issues/detail?id=378500
Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 51 / 55
Conclusion
Lessons to be learned
Treat SVG like you would HTML, not like you would PNG.
Never load untrusted SVG as an object or iframe from the same origin as
trusted content.
Major browsers still have issues correctly enforcing web security rules.
CSP is your friend. Use it. Even if you can’t use it right away, design new code
to be CSP-compatible.
Future work
Mobile browsers
Different CSPs on HTML and embedded SVG
SVG 2.0: iframe and canvas and other fun stuff?
SVG’s use element and anything else that takes a URI argument
IE12’s CSP implementation
More information
QUESTIONS?
HTTPS://WWW.ISECPARTNERS.COM
HTTP://ISECPARTNERS.GITHUB.IO